With the rapid growth of the Internet and computer network technology in general, network security has become a major concern to companies around the world. The fact that the tools and information needed to penetrate the security of corporate networks are widely available has only increased that concern. Because of the increased focus on network security, network security administrators often spend more effort protecting their networks than on actual network setup and administration.
Confidential information normally resides in two states on a computer network. It can reside on physical storage media, such as a hard disk or memory of a device such as a server, or it can reside in transit across the physical network wire in the form of packets. A packet is a block of data that carries with it the information necessary to deliver it, analogous to an ordinary postal letter that has address information written on the envelope. A data packet switching network uses the address information contained in the packets to switch the packets from one physical network connection to another in order to deliver the packet to its final destination. In modern computer network technology, network nodes such as gateway devices, routers, and switches are commonly utilized to forward data packets toward their destinations. The format of a packet is usually defined according to a certain protocol. For example, the format of a packet according to the widely-used Internet protocol (IP) is known as a datagram.
Computer viruses and worms are two types of malicious programs designed to attack and compromise the security of a network. A computer virus attaches itself to a program or file so it can spread from one computer to another through the process of sharing infected files or sending e-mails with viruses as attachments in the e-mail. Most often, viruses are attached to an executable file, which means the virus may exist on a computer or network node but it cannot damage the computer's hardware, software, or files unless a user runs or opens the malicious program.
A worm is similar to a virus by its design, but is much more insidious than a virus insomuch as it has the ability to propagate without direct human action (such as running an infected program). A worm takes advantage of file or information transport features on a computer system, which allows it to rapidly propagate throughout a network unaided. A big danger with a worm is its ability to replicate itself so that a single host computer can send out hundreds or thousands of copies of the worm to other computers in the network, thereby creating a huge devastating effect. For example, a worm may scan hundreds of computer nodes across a local access network (LAN) looking for a vulnerable host. When a worm finds a vulnerable hose, it tries to infect it and continue the replication process down the connectivity line.
A worm's ability to propagate itself rapidly (and often surreptitiously) is essential to its success in disrupting the integrity of a network by compromising Web servers, network servers, and individual computers. For example, the recent “MySQL” worm attack was reported to have infected approximately 4,500 computer systems per hour in the early hours following outbreak. Detection of a worm may occur when the worm starts consumes large amounts of system memory or network bandwidth, which may cause certain network nodes to stop responding. Evidence of a worm attack may also be found in a significant upsurge in scans performed on a particular port of a network device. For example, a past outbreak of the MySQL worm was evidenced by a massive number of port 3306 scans during a relatively short time period.
Current Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) technologies usually discover worm attacks via comparisons of network traffic against known attack signatures. Basically, data packets traveling across the network are inspected for the presence of a particular byte signature associated with a known worm. Knowledge of the worm's signature is typically obtained by extensive analysis of the malicious code after it has been detected on a victim network. This conventional worm detection technique is described in U.S. Patent Application No. 2005/0022018, which teaches a system for detecting and preventing the spread of malicious code in which a local analysis center provides a signature update to a network IDS. Another signature technique is described at http://www.cs.ucsd.edu/Dienst/UI/2.0/Describe/ncstrl.ucsd_cse/CS2003-0761.
The signature update approach to detecting and stopping a worm attack is illustrated in FIG. 1, which shows a timeline of a worm's propagation in an enterprise network. The example of FIG. 1 begins with an infected laptop computer connecting to a corporate network at time T1. As soon as the laptop connects to the network, the worm starts replicating itself by infecting nearby hosts. The worm continues to spread in an undetected manner until the time, T2, when network users or a system administrator first reports a problem with network operations or with particular computer nodes. At this point, the arduous and time-consuming process of manually analyzing and reverse-engineering the worm begins. Once a corresponding signature of the worm has been identified, a small piece of software (known as a “patch”) designed to fix or shore up the vulnerability is then installed onto each and every node of the network. The creation of a patch is shown occurring at time T3 in FIG. 1.
One problem with existing signature update approaches is that it usually takes a long time (e.g., 4-5 hours) to generate a working patch after a worm has been detected. During this interval (e.g., from T2 to T3) the worm may continue to spread and infect tens of thousands of additional computers. Another drawback is that signature databases must be constantly updated, and the intrusion detection system must be able to compare and match activities against large collections of attack signatures. That is to say, a signature-based IDS only operates on known attacks. In addition, if signatures definitions are too specific the IDS may miss variations or mutations of known attacks. The signatures also need to be configured for each branch/installation of the network. For a large corporation the overhead associated with maintaining the signature database information can be very costly.
Profile-based intrusion detection, sometimes called anomaly detection, is another security methodology that has been used to detect malicious network activity. Anomaly detection systems examine ongoing network traffic, activity, transactions, or behavior for anomalies on networks that deviates from a “normal” host-host communications profile. By keeping track of the services used/served by each host and the relationships between hosts, anomaly-based intrusion detection systems can observe when current network activity deviates statistically from the norm, thereby providing an indicator of attack behavior.
U.S. Pat. No. 6,681,331 teaches a dynamic software management approach to analyzing the internal behavior of a system in order to assist in the detection of intruders. Departures from a normal system profile represent potential invidious activity on the system. U.S. Pat. No. 6,711,615 describes a method of network surveillance that includes receiving network packets (e.g., TCP) handled by a network entity and building long-term and short-term statistical profiles. A comparison between the building long-term and short-term profiles is used to identify suspicious network activity.
One problem with conventional anomaly detection systems is that the baseline of normal behavior can easily change, causing anomaly-based IDS systems to be prone to false positives where attacks may be reported based on events that are in fact legitimate network activity, rather than representing real attacks. (A false negative occurs when the IDS fails to detect malicious network activity. Similarly, a true positive occurs when the IDS correctly identifies network activity as a malicious intrusion; a true negative occurs when the IDS does not report legitimate network activity as an intrusion.) Traditional anomaly detection systems can also impose heavy processing overheads on networks.
By way of further background, U.S. Pat. No 6,785,818 teaches a programmable control module adapted to determine when a change in mapping constitutes a malicious code attack. U.S. Pat. No 6,681,331 teaches a dynamic software management approach to analyzing the internal, normal behavior of a system in order to assist in the detection of intruders. U.S. Pat. No 6,711,615 describes a method of network surveillance that includes receiving network packets (e.g., TCP) handled by a network entity and building long-term and short-term statistical profiles. A comparison between the building long-term and short-term profiles is used to identify suspicious network activity. A network surveillance system that compares statistical profiles to identify suspicious network activity is disclosed in U.S. Pat. No 6,708,212.
Thus, there remains an unsatisfied need for an intrusion detection system and method capable of quickly detecting a worm attack, as distinguished from legitimate network behavior, and mitigating the effects of the attack.